I was working on an open source project and tried to add an audio player that played back recorded audio by the user. However, due to CSP contraints made by the main developers, it won't allow me to use blobs as sources for the audio due to default-src : 'none'
Why? There's no danger of a XSS attack, right? How can there be an XSS attack via the "src" attribute of it? I'm not getting it!
Thank you!
A CSP isn't needed for audio sources.
You have a CSP and it is set to restrict audio sources (via the default restrictions).
CSP isn't designed to exclude certain types of resource because they are believed to always be safe (until a bug means they aren't). If it restricts sources by default then that includes audio sources.
There's no danger of a XSS attack, right?
CVE-2017-14450 details a bug in an image parsing library where a GIF could trigger a buffer overflow (which could then in turn be used for arbitrary code execution).
Media files are generally safe, but there's no guarantee.